The organisation today faces many different risks and requirements which are ever-changing and are quick to impact the organisation. To address these growing complexities, organisations, regardless of size (from SMEs to MNCs) have adopted a vision of Principled Performance. This is an approach to business that enables organisations to reliably achieve objectives while addressing uncertainty with integrity.
At every level, the organisation needs to set objectives and strategies that should
In all of these cases, there often is a lack of ongoing, meaningful oversight from the governing body and this affects business/consumer confidence.
In achieving its objectives, the organisation needs to address these requirements and challenges. It should consider both threats and opportunities, meeting the assurance required in mandatory commitments. Focusing on Principled Performance at every level of the organisation establishes a common goal and culture that supports success. It involves all functional units, each with its own team, processes, technologies, and information. All these must work together for the optimisation of the organisation.
Principled Performance is a means to success, which can only be achieved by
These are linked and operated through fully integrated governance, risk management, and compliance capabilities.
GRC refers to Governance, Risk and Compliance management of critical capabilities that must work together to achieve Principled Performance.
What it is NOT – It is not creating a mega-department of GRC and doing away with decentralized or programmatic approaches to risk and compliance management. Nor does it necessarily call for the use of only one GRC technology system.
What it IS – It is about establishing an approach that ensures the right people get the appropriate and correct information at the right times, that the right objectives are established, and that the right actions and controls necessary to address uncertainty and act with integrity are put in place.
When business activities operate in a silo, with their own information kept separate, it is highly likely that wrong or counter-productive objectives will be established. Moreover, sub-optimal strategies will be selected, and performance will not be optimised.
An organisation that strives to achieve Principled Performance will have a number of integrated capabilities and be able to track, communicate and manage them as one entity. In short, a GRC capability model should have the following key components:
An organisation that is able to and will constantly learn, align, monitor its performance and review is definitely on course to improve its performance.
Most organisations in the digital economy cannot function without personal data; which makes data a major risk area that the organisation has to govern and manage. In fact, many jurisdictions require a dedicated DPO. Through the data protection framework prescribed for
to data risks/breaches, it is apparent that the DPMP framework is an operational manifestation of Learn, Align, Perform and Review process of the GRC within the data protection field. For this reason, the management of risks in the GRC and DP are closely linked and in many organisations, the Data Protection function resides in the GRC (Compliance) department.
Watch our evergreen webinar to understand and join the discussion outlining what constitutes an effective Governance, Risk Management and Compliance (GRC) framework to reduce the risks associated with business operations and compliance.
Upskill your knowledge through courses on GRC. Source for a training programme that enables participants to have hands-on skill and tools that enables the organisation to have a “risk convergence” platform.
"Our staff found the real-life cases beneficial to help them see more reality in the GRC principles. The activities created by Straits Interactive were especially effective to help us uncover gaps which we never knew existed. That enabled us to plan for controls to arrest our current and potential risks.
Overall, I fully endorse Straits Interactive's course proposal application to SSG to conduct GRC Professional Training (GRCP) as it would elevate the expertise of more professionals in the areas of Governance, Risk and Compliance which are very critical in all operating environment."
- Senior Executive, Business Consultancy company
Join the DPEX Network community and be active in the exchange of ideas, best practices and network with fellow GRC professionals.
Article by: Leong Wai Chong, GRCP, CIPM
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
The Info-comm Media Development Authority of Singapore (IMDA) launched the Data…
Every day we are confronted with information on companies that allegedly did th…
It cannot be reiterated enough: personal information is property that belongs t…